Are you receiving an error “An error occurred when calling the RevokeSecurityGroupIngress operation” in AWS? We can help you fix it.

Here at Bobcares, we have seen several such AWS related queries as part of our AWS Support Services for AWS users, and online service providers.

Today we’ll take a look at how to assign IAM users to the IAM role.

Know more about RevokeSecurityGroupIngress

The API RevokeSecurityGroupIngress is mainly used to remove a specified rule from a security group. But in order to remove the rule, we must specify the values that match the existing rule’s value exactly.

Also, each rule comprises of protocol and source security group. We need to specify the destination port or range of ports for TCP and UDP protocols.

Why does “An error occurred when calling the RevokeSecurityGroupIngress operation” error occurs

Generally, the AWS config rule checks for the security group if it allows inbound TCP or UDP traffic to 0.0.0.0/0.

For example, we need to specify the ports in the AWS config rule parameter to allow TCP ports 443 and 1020-1025 access to 0.0.0.0/0. The SSM Document AWS-DisablePublicAccessForSecurityGroup is limited to the default SSH 22 and RDP 3389 ports. Also, it is opened to all IP addresses (0.0.0.0/0), or a specified IPv4 address using the IpAddressToBlock parameter.

Normally, this error can occur due to various reasons. It includes non-existence of security group rule, not specifying a region in code, the previous request still not propagated, improper permissions, incorrect credentials.

How we fix the error “An error occurred when calling the RevokeSecurityGroupIngress operation”

One of our customers was trying to create the AWS Systems Manager Automation document ‘AWS-DisablePublicAccessForSecurityGroup’ to disable SSH and RDP ports. But auto-remediation failed with the AWS Config rule vpc-sg-open-only-to-authorized-ports resulting in the error as given below:

~~
An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group.
~~

Now let’s see how our Support Engineers fix this error message to our customers.

This error indicates that the target security group doesn’t have an inbound rule, or isn’t located in the default Amazon Virtual Private Cloud (Amazon VPC).

Note: We make sure that we have installed and configured the AWS Command Line Interface (AWS CLI).

First, we run the below describe-remediation-execution-status command to verify the error message.

aws configservice describe-remediation-execution-status –config-rule-name vpc-sg-open-only-to-authorized-ports –region af-south-1 –resource-keys resourceType=AWS::EC2::SecurityGroup,resourceId=sg-1234567891234567891

As a result, of the above command, the inbound rules for the security group must specify the open ports using one of the following patterns:

0.0.0.0/0

::/0

SSH or RDP port + 0.0.0.0/0

SSH or RDP port + ::/0

Finally, now configure auto-remediation for other ports. For that, you can use a custom SSM document to automate the process.

[Need any further assistance in fixing AWS errors? – We are here to help you.]

Conclusion

In short, this error indicates that the target security group doesn’t have an inbound rule, or isn’t located in the default Amazon Virtual Private Cloud (Amazon VPC).